Create a network connection between Astro and AWS
You can grant Astro cluster and its Deployments access to your external AWS resources.
Publicly accessible endpoints allow you to quickly connect your Astro clusters or Deployments to AWS through an Airflow connection. If your cloud restricts IP addresses, you can add the external IPs of your Deployment or cluster to an AWS resource’s allowlist. See Connect to a public AWS endpoint
If you have stricter security requirements, you can create a private connection to AWS in a few different ways. See Private networking connections for more information.
After you create a connection from your cluster to AWS, you might also need to individually authorize Deployments to access specific resources. See Authorize your Deployment using workload identity.
Standard and dedicated cluster support for AWS networking
Standard clusters have different connection options than dedicated clusters.
Standard clusters can connect to AWS in the following ways:
- Using static external IP addresses
- Using PrivateLink to connect with the following endpoints:
- Amazon S3 - Gateway Endpoint
- Amazon Simple Queue Service (SQS) - Interface Endpoint - Amazon Elastic Container Registry (ECR) - Interface Endpoints for ECR API and Docker Registry API
- Elastic Load Balancing (ELB) - Interface Endpoint
- AWS Security Token Service (AWS STS) - Interface Endpoint
Private networking connections
Dedicated clusters can connect to AWS in the same ways as standard clusters. Additionally, they support a number of private connectivity options including:
If you require a private connection between Astro and AWS, Astronomer recommends configuring a dedicated cluster. See Create a dedicated cluster. Transitive connectivity to on-premise networks is also possible through your managed VPCs. However, architectures with a demarcation point between Astro and your on-premise network are not supported.
